Activant Eagle PA-DSS Implementation Guide

Transcription

1 ACTIVANT EAGLE PA-DSS IMPLEMENTATION GUIDE PA-DSS IMPLEMENTATION GUIDE Activant Eagle PA-DSS Implementation Guide EL2211

2 This manual contains reference information about software products from Activant Solutions Inc. The software described in this manual and the manual itself are furnished under the terms and conditions of a license agreement. The software consists of software options that are separately licensed. It is against the law to copy the software on any medium, or to enable any software options, except as specifically permitted under the license agreement. In addition, no part of this manual may be copied or transmitted in any form or by any means without the prior written permission of Activant Solutions Inc. From time to time, Activant makes changes to its software products. Therefore, information in this manual is subject to change, and the illustrations and screens that appear in the manual may differ somewhat from the version of the software provided to you. Created by Learning Products and Education Copyright: 2010 Activant Solutions Inc. All rights reserved. Activant, the Activant stylized logo design, and Eagle are registered trademarks, and Activant Eagle is a trademark, of Activant Solutions Inc. All other trademarks are property of their respective owners. Activant Solutions Inc Southfront Road Livermore, CA Document No. EL2211 Publication Date: May 2010 EL2211 Activant PA-DSS Implementation Guide 2

3 Introduction Additional Resources For your convenience, this document encapsulates the procedures from the PA-DSS Technical Manual. If desired, you can download the technical manual from the Activant website, but this is optional. Click the following link to access the document. PA-DSS Setup Overview Use this document to guide you through the PCI implementation process. To proceed, the following must be true: You have installed Eagle for Windows Release If you use Eagle Mobile, you must be on Eagle Mobile release or higher. You have worked with your Local Platform Specialist (LPS) to address any upgrades to peripherals or changes to your network setup. The procedures described in this document include: Install and Set Up SecureAccess Install and Set Up SSH for Legacy RF Guns Set Up Options Change User s Security Bits Microsoft Windows Setup Run OSPREY Utilities Review Additional Information Indicate Your System Is Now PCI Compliant Maintain Your Security Updates EL2211 Activant PA-DSS Implementation Guide 3

4 Install and Set Up SecureAccess You must install the SecureAccess application on PCs from which you access any of Network Access ( legacy ) applications. To download SecureAccess, visit our PCI Readiness website at: Install and Set Up SSH for Legacy RF Guns You must install and set up an SSH version of the Wavelink emulation software for Legacy RF guns including the Motorola (Symbol) MC3090, Motorola (Symbol) MC9090, and Datalogic Falcon For the procedure, see document number EL2209 Installing the TelnetCE SSH Plug-In Component. This document is available on Activant s website. Click the link below to access the document. CE_SSH_plug-in_component_final.pdf Set Up Options In Options Configuration, click ID, type the option ID number from the table below, and click OK. Click in the Current Value column, and select the setting indicated in the table. Repeat this process for each option listed in the table. Option Description ID# 311 Days to store credit card numbers in Quick Recall Set Option to this: 180 days or less. Additional Information Card numbers older than the value in this option are truncated with x s (e.g., 1234xxxxxxxx5678) when you run QRCCC in the next section. PA-DSS Requirement (PA-DSS Requirements 1.1.4, 2.1) It is both the merchant s and reseller s responsibility to remove any sensitive authentication data (magnetic stripe data, card validation values or codes, PINs or PIN block data, cryptographic key material, or cryptograms (e.g., encrypted credit card numbers)) stored by previous versions of the Eagle for Windows software. It is the responsibility of Activant Solutions Inc. to provide EL2211 Activant PA-DSS Implementation Guide 4

5 a means to do this. Removal of this prohibited historical data is absolutely necessary for PCI compliance NetAccess.net on system Yes Net Access.net tells Eagle for Windows to launch SecureAccess in place of Network Access, and disables Telnet upon the next reboot, so that only SSH is allowed through SecureAccess. These two options fulfill PA-DSS Requirements 2.3, 1.1.5, b, and CHILKAT on System 8965 Eagle for Windows startup action when trace logging is enabled Yes D-Deny CHILKAT is the name of the program used for Secure FTP through SSH. This tells Eagle for Windows to use SFTP in place of all FTP functions and it disables normal FTP on the next reboot. This ensures that trace logs are never written to the local PC if trace logging is enabled on the system. Change Users Security Bits Guidelines for Password Controls The following are the PA-DSS guidelines for password controls. You are advised against using administrative accounts for application logins (e.g., don t use the sa account for application access to the database). (PA- DSS 3.1c) You are advised to assign strong passwords to these default accounts (even if they won t be used), and then disable or do not use the accounts. (PA-DSS 3.1c) You are advised to assign strong application and system passwords whenever possible. (PA-DSS 3.1c) You are advised how to create PCI DSS-compliant complex passwords to access the payment application, per PCI Data Security Standard through (PA-DSS 3.1c) EL2211 Activant PA-DSS Implementation Guide 5

6 You are advised to control access, via unique username and PCI DSS-compliant complex passwords, to any PCs, servers, and databases with payment applications and cardholder data. (PA-DSS 3.2) You are advised that changing out of the box installation settings for unique user IDs and secure authentication will result in noncompliance with PCI DSS. Passwords should meet the requirements set in PCI DSS section through , as listed here. Do not use group, shared, or generic accounts and passwords. Change user passwords at least every 90 days. Require a minimum password length of at least seven characters. Use passwords containing both numeric and alphabetic characters. Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. Limit repeated access attempts by locking out the user ID after not more than 6 attempts. Set the lockout duration to thirty minutes or until administrator enables the user ID. If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. Changing Security on the Eagle System 1. For users with any of the following security bits set to Yes, you must change them to a High Security Password user, or change the following security bits to No. 2. (PA-DSS Requirements 3.1 and 3.2) Security Bit Description 14 Add/Change/Delete security settings, bit lists 91 Allow system admin utilities (such as CDT, OSPREY, SHOWTASK) 506 Allow access to OSPREY's USRLOGIN function 689 View full customer credit card number 691 View full customer credit card number (decrypted mode) 757 Ability to view bankcard number in QuickRecall Users with any of these security bits set to Yes who are not set up as High Security Password users will not be allowed to log into the Eagle Browser or Eagle for Windows POS. For more information about changing a user s security bits, or about setting up High Security Passwords, see online help: From the Contents tab, click System Management Security. EL2211 Activant PA-DSS Implementation Guide 6

7 3. Make sure the user SYSTEM has the security bits in the list above set to No. 4. If a user has one or more of these security bits set to Yes, set option 3 Check Password at POS to Yes as follows: 5. In the Options Configuration window, click ID, type 3, and press Enter. 6. In the User field, select the appropriate user. 7. Change the Current Value column of Check Password at POS to Yes, and click OK. 8. Click Change on the toolbar to save the setting. 9. Repeat this process for any other users who require option 3 Check Password at POS set to Yes. 10. Set special security to S on all terminals. In the Options Configuration window, click ID, type 520, and press Enter. In the Terminal field, select the terminal number. Change the Current Value column of Terminal s Special Security to Yes, and click OK. Click Change on the toolbar to save the setting. Repeat this process for all other terminals. Microsoft Windows Setup This section describes the changes you must make in Microsoft Windows to meet PCI Compliance standards. Enabling Strong Passwords/Password Expiry/Screen Saver Passwords For a password to be strong, it should: Be at least seven characters long. Because of the way passwords are encrypted, the most secure passwords are seven or 14 characters long. Contain characters from each of the following three groups: EL2211 Activant PA-DSS Implementation Guide 7

8 Group Letters (uppercase and lowercase) Examples A, B, C... (and a, b, c...) Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 Symbols (all characters not defined as letters or numerals) ` # $ % ^ & * ( ) _ + - = { } [ ] \ : " ; ' < >?,. / Have at least one symbol character in the second through sixth positions. Be significantly different from prior passwords. Not contain your name or user name. In addition to setting up strong passwords, you may also want to set up Lockout Policies, which can be used to temporarily or permanently (until reset) lock out a user after a certain number of failed login attempts. This is useful for systems that may be accessible by the general public, and prevents someone from trying to guess a login password. There are many other policies that you can enable/disable using Lockout Policies, but be careful as you can restrict yourself so much that you can no longer access the system. Carefully read and understand the various policies if you decide to pursue further policy changes. Enabling Strong Passwords/Password Expiry/Screen Saver Passwords - Windows 7 and Vista Only If you use Windows XP, skip to the next section. To set up password enforcement in Windows 7 or Vista, you must be an Administrator. Set up global Per User password requirements, as follows: 1. Click Start, Run, then type secpol.msc into the text box, and click OK. Here is an example of what the editor looks like when first started: EL2211 Activant PA-DSS Implementation Guide 8

9 2. To set password policies, double click the Account Policies item in the left pane. You will then see the Password Policy item in the right pane. Double click this item and the following displays: 3. Double click each item in the right pane to set its value. Below are some recommended settings: 4. When you are finished, close the Local Security Policy window. 5. Enable the requirement to enter a password when resuming from sleep mode, or when the screen saver has been activated. Click Start, then Control Panel, then Personalization. 6. Select Screen Saver. Enter 10 in the Wait field, click the checkbox for On resume, display logon screen, and click OK. EL2211 Activant PA-DSS Implementation Guide 9

10 Enabling Strong Passwords/Password Expiry/Screen Saver Passwords- Windows XP Only This procedure is for Windows XP users only. Go to the previous section if you use Windows 7 or Vista. To set up password enforcement in Windows XP, you must be an Administrator. Set up global Per User password requirements, as follows: 1. Click Start, Run, then type secpol.msc into the text box, and click OK. Here is an example of what the editor looks like when first started: 2. To set password policies, double click the Account Policies folder in the left pane. You will then see the Password Policy folder in the right pane. Double click this folder and the following displays: EL2211 Activant PA-DSS Implementation Guide 10

11 3. Double click each item in the right pane to set its value. Below are some recommended settings: 4. When you are finished, close the Local Security Settings window. 5. Enable the requirement to enter a password when resuming from sleep mode, or when the screen saver has been activated. 6. Click Start, click Control Panel, then click the Display icon. 7. Click the Screen Saver tab. 8. Enter 10 in the Wait field, click the checkbox for On resume, display logon screen, and click OK. EL2211 Activant PA-DSS Implementation Guide 11

12 Run Osprey Utilities Configure the SysLog Server in SETIP IMPORTANT! Activant strongly recommends that you consult with your Local Platform Specialist (LPS) before attempting to set up the SysLog Server. You must configure the Eagle to pass logs to a SysLog Server in order to be compliant with PCI DSS. If you are executing this procedure during business hours, you must use Offline POS until because this process puts the system into Quiet mode. All logging conforms to PCI DSS version 1.2 requirements and The Syslog Server itself provides a prompt backup audit trail to a centralized log server that is difficult to alter, as per PCI DSS From the console terminal (the one attached to the CPU), at the login prompt, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. At Selection, type SetIP and press Enter. This quiets the system (you cannot run any eagle applications except Offline POS). 3. Type an e, and press Enter. Then type yes, and press Enter to put the system in maintenance mode. 4. At the prompt, Do you want to change the current setting (y/n) [default y]? press Enter to accept the default of yes. EL2211 Activant PA-DSS Implementation Guide 12

13 At this point, a series of prompts will display, one by one, on the screen. Simply press Enter for every prompt, until you get to the prompt to set up the logging server. At this point, select y to add syslog servers. 5. Type a lowercase a to add syslog server for compliancy regulations. Note: You will also be required to know the port number and protocol in use; the default for most syslog servers is 514 and UDP. 6. Enter the log server address. Then press Enter. 7. Enter the log server port number. Then press Enter. 8. Enter the log server protocol. Then press Enter. 9. Once you have added your required syslog servers, press Enter through the rest of the prompts that display. 10. When the SETIP main screen redisplays, when asked if you want to continue editing the configuration, type n and press Enter. Press Enter at the following prompt: Do you want to update the network settings (y/n) [default y]? 11. Press Enter at the following prompt: Please press <ENTER> to continue. 12. At the main menu, press <Esc>, and then press the spacebar. 13. Press Enter at the following prompt: Type 'QUIET' if you do NOT want the system back in normal mode now. Changes take effect after the reboot. Truncate or Encrypt Credit Card Data with QRCCC Use Osprey function QRCCC (QuickRecall Credit Card Clean-Up) to either truncate existing credit card data (based on option 311), or encrypt it into the card number encryption file (MSF). 1. From the console terminal (the one attached to the CPU), at the login prompt, type OSPREY and press Enter. At Password, type AVATAR and press Enter. 2. At Selection, type QRCCC and press Enter. EL2211 Activant PA-DSS Implementation Guide 13

14 3. Type T to truncate, or E to encrypt. 4. At Action, type E to execute, and press Enter. Review Additional Information Review the information in this section to verify that you are complying with the relevant PA-DSS requirements discussed. Remote Access Two-factor Authentication (PA-DSS Requirement 11.2) If Eagle for Windows can be accessed remotely, all network connectivity must use twofactor authentication per PCI DSS requirement 8.3. Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as a remote authentication and dial-in service (RADIUS) or a terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Both a password and an additional authentication item (for example, smart card, token, PIN) must be required. Remote Access Software Security Configuration (PA-DSS Requirement 11.3) Implement the following applicable security features for all remote access software used by the merchant, reseller or integrator. Change default settings in the remote access software (for example, change default Passwords and use unique Passwords for each customer) Allow connections only from specific (known) IP/MAC addresses. Use strong authentication or complex passwords for logins. Enable encrypted data transmission. Enable account lockout after a certain number of failed login attempts. Configure the system so a remote user must establish a Virtual Private Network ( VPN ) connection via a firewall before access is allowed. Enable the logging function. Restrict access to customer Passwords to authorized reseller/integrator personnel. Establish customer Passwords as described in section Password Controls of this document (according to PCI DSS requirements 8.1, 8.2, 8.4, and 8.5). Disable Remote Access via Modem The Eagle system allows remote access via modem. Any method of remote access by vendors must be activated only when needed by vendors, with immediate deactivation after use. To disable remote access via modem, go to Function SETRSP (available from the Eagle for Windows Launch Bar or from Network Access) and choose Disable. Encrypt Network Traffic Transmission of Cardholder Data (PA-DSS Requirement 12.1) EL2211 Activant PA-DSS Implementation Guide 14

15 Eagle uses strong SSL/TLS encryption technology when transmitting cardholder data over networks between the Eagle client and server. Outgoing connections over public networks are protected by the included ProtoBase software. End-user Messaging and Cardholder Data (PA-DSS Requirement 12.2) Eagle for Windows does not include or support any end-user messaging technologies (e.g., , instant messaging, and chat). Unencrypted cardholder data must never be sent using these technologies. Non-Console Administrative Access (PA-DSS Requirement 13.1) Eagle uses SSH for encryption of for all non-console administrative access to payment application or servers in cardholder data environment. Telnet or other non-encrypted access methods must not be used. Indicate Your System Is Now PA-DSS Compliant To indicate that your system is now PA-DSS compliant, you must set option 1061 PA- DSS Compliant System to Yes in the Options Configuration window. This option is password-controlled; therefore, the process to change it is different from setting other options. To set to Yes: 1. In Options Configuration, click ID, type 1061, and press Enter. 2. Click Misc. on the toolbar. 3. Choose option F to restore option to factory default (which is Yes) 4. Click Change (F5). Maintain Your Security Updates Now that you have completed all the steps to implement PCI compliance, be sure to maintain your system s security updates by visiting Activant s PCI Readiness site on a regular basis. The site is located at: EL2211 Activant PA-DSS Implementation Guide 15